PLEASE NOTE: I HAVE PERMANENTLY MOVED MY BLOG TO http://www.rationalsurvivability.com/blog

January 10, 2008

So here's an interesting spin on de/re-perimeterization...if people think we cannot achieve and cannot afford to wait for secure operating systems, secure protocols and self-defending information-centric environments but need to "secure" their environments today, I have a simple question supported by a simple equation for illustration:

For the majority of mobile and internal users in a typical corporation who use the basic set of applications:

Assume a company that:...fits within the 90% of those who still have data centers, isn't completely outsourced/off-shored for IT and supports a remote workforce that uses Microsoft OS and the usual suspect applications and doesn't plan on utilizing distributed grid computing and widespread third-party SaaS

You Get:Less Risk. Less Cost. Better Control Over Data. More "Secure" Operations. Better Resilience. Assurance of Information. Simplified Operations. Easier Backup. One Version of the Truth (data.)

I really just don't get why we continue to deploy and are forced to support remote platforms we can't protect, allow our data to inhabit islands we can't control and at the same time admit the inevitability of disaster while continuing to spend our money on solutions that can't possibly solve the problems.

If we're going to be information centric, we should take the first rational and reasonable steps toward doing so. Until the operating systems are more secure, the data can self-describe and cause the compute and network stacks to "self-defend," why do we continue to focus on the endpoint which is a waste of time.

If we can isolate and reduce the number of avenues of access to data and leverage dumb presentation platforms to do it, why aren't we?

...I mean besides the fact that an entire industry has been leeching off this mess for decades...

I'll Gladly Pay You Tuesday For A Secure Solution Today...

The technology exists TODAY to centralize the bulk of our most important assets and allow our workforce to accomplish their goals and the business to function just as well (perhaps better) without the need for data to actually "leave" the data centers in whose security we have already invested so much money.

Many people are doing that with the servers already with the adoption of virtualization. Now they need to do with their clients.

The only reason we're now going absolutely stupid and spending money on securing endpoints in their current state is because we're CAUSING (not just allowing) data to leave our enclaves. In fact with all this blabla2.0 hype, we've convinced ourselves we must.

Hogwash. I've posted on the consumerization of IT where companies are allowing their employees to use their own compute platforms. How do you think many of them do this?

Relax, Dude...Keep Your Firewalls...

In the case of centralized computing and streamed desktops to dumb/thin clients, the "perimeter" still includes our data centers and security castles/moats, but also encapsulates a streamed, virtualized, encrypted, and authenticated thin-client session bubble. Instead of worrying about the endpoint, it's nothing more than a flickering display with a keyboard/mouse.

Let your kid use Limewire. Let Uncle Bob surf pr0n. Let wifey download spyware. If my data and applications don't live on the machine and all the clicks/mouseys are just screen updates, what do I care?

Yup, you can still use a screen scraper or a camera phone to use data inappropriately, but this is where balancing risk comes into play. Let's keep the discussion within the 80% of reasonable factored arguments. We'll never eliminate 100% and we don't have to in order to be successful.

Sure, there are exceptions and corner cases where data *does* need to leave our embrace, but we can eliminate an entire class of problem if we take advantage of what we have today and stop this endpoint madness.

This goes for internal corporate users who are chained to their desks and not just mobile users.

September 02, 2007

I had an interesting email this last week from a former co-worker that I found philosophically interesting (if not alarming.) It was slightly baited, but the sender is a smart cookie who was obviously looking for a little backup.

Not being one to shy away from discourse (or a good old-fashioned geek debate on security philosophy) I pondered the topic.

Specifically, the query posed was centered on a suggested diametrically-opposed set of opinions on how, if at all, IPS devices and firewalls ought to behave differently when they fail:

I was having a philosophical discussion with [He who shall not be named]today about uptime expectations of IPS vs. Firewall. The discussion was in reference to a security admin's expectation of IPS "upness" vs. Firewall's.

Basic question: if a firewall goes down we naturally expect it to BLOCK all traffic. However, if an IPS goes down, the prevailing theory is that the IPS should ALLOW all traffic, or in other words fail open.

[He who shall not be named] says this is because best practices say that a firewall is a default DENY ALL device, whereas an IPS is a default ALLOW ALL device.

My thinking is trying to be a little more progressive. If Firewalls protect at Layer 3 and IPSes at L4-7, then why would you open yourself up at L4-7 when the device fails? I know that the concept of "firewall" is morphing these days especially to include more L4-7 inspection. But the question is the same. Are security admins starting to consider protocol and payload analysis as important as IP and Port protection? Or are we all still playing with sticks and fire in the mud?

I know you're all focused on virtualization these days, but how about a good old religious firewall debate!

I responded to this email with my own set of beliefs and foundational arguments which challenged several of the statements above, but I'm interested in two things from you, dear reader, and hope you'll comment back with your opinions:

Do you recognize that there are two valid perspectives here? Would you fail open on one and closed on another?

If your answer to question #1 is yes, which do you support and why?

You can assume, for sake or argument, that you have only a firewall, only an IPS or both devices in-line with one-another. Talk amongst yourselves...